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Abstract. In mathematics, it is common practice to have several con¬ 
structions for the same objects. Mathematicians will identify them mod¬ 
ulo isomorphism and will not worry later on which construction they use, 
as theorems proved for one construction will be valid for all. 

When working with proof assistants, it is also common to see several 
data-types representing the same objects. This work aims at making the 
use of several isomorphic constructions as simple and as transparent as 
it can be done informally in mathematics. This requires inferring auto¬ 
matically the missing proof-steps. 

We are designing an algorithm which finds and fills these missing proof- 
steps and we are implementing it as a plugin for Coc0. 


1 Introduction 

With examples such as the well-known relation between linear maps and matri¬ 
ces, the various constructions of real numbers (equivalence classes of Cauchy se¬ 
quences, Dedekind cuts, infinite sequences of digits, subset of complex numbers), 
we see that there are a great many cases when identifying several constructions 
of the same objects can be useful in mathematics. In particular, proofs are then 
done on the most convenient one but theorems apply to all. 

In formal systems like COQ [J, a canonical example is the various construc¬ 
tions available for natural numbers. The most natural construction and the clos¬ 
est to the mathematical view is unary (0, S 0, S (S 0) and so on) while the more 
efficient binary construction is closest to what is available in most programming 
languages. 

When several constructions coexist, they often share an axiomatic represen¬ 
tation, abstracting away from the internal details. In COQ, it is possible to do 
proofs directly on the axiomatic representation thanks to the module and func¬ 
tor system [I]. While this has the advantage of factoring proofs, it also makes 

® This plugin introduces a new tactic called exact modulo. Its most recent version is 
available on the web at https://github.com/Zimmi48/transfer 



the proof harder as it does not allow taking advantage of the specifics of the 
implementation. 

The purpose of this work is to make easy to transport theorems to all isomor¬ 
phic constructions even when the proof relies on one particular such construction. 
In an informal setting, the mathematician would declare that “we can identify 
the two structures” once she has proved they were isomorphic and would pro¬ 
ceed from there. Our goal is to justify that claim because it will be that missing 
justification that the proof checker will ask for. Moreover, we need to determine 
when this justification is missing and insert it automatically. 

Although we focus on isomorphic structures in our description of the prob¬ 
lem and in our examples, we want to emphasize that we thrive to be as general 
as possible and require as little as possible to allow the automatic transfer of a 
theorem. Sometimes an isomorphism is required but sometimes a weaker corre¬ 
spondence is sufficient. Our algorithm will typically allow the following transfer: 

Example 1. Take two sets A and A'. If we have the following result on the first 
set: 

Axiom 1 (A is empty). 

Vcc € A, T . 

then a surjective function / : A —> A' is all we need to transfer the result and 
get: 

Theorem 1 (A’ is empty). 

Vx' e A', _L . 

Here is the complete corresponding COQ development (using our plugin - 
although in that case, it is extremely easy to build the proof by hand): 

Parameter A A’ : Set. 

Axiom emptyA : V x : A, False. 

Parameter f : A —>■ A’ . 

Parameter g : A’ —>■ A. 

Axiom surjf : V x’ : A’, f (g x’) = x’. 

Declare Surjection f by (g, surjf). 

Theorem emptyA’ : V x’ : A’, False. 

exact modulo emptyA. 

Qed. 

In the remainder of this text, we will start by presenting our current algorithm 
which is able to transfer a limited but already interesting set of theorems. Then, 
we will detail our ideas to generalize it. Finally, we will compare our approach 
to previous related works. 

2 How to Transfer a Theorem 


To start, we are limiting ourselves to transferring first-order formulas containing 
only universal quantifiers, implication and relations. 




2.1 User-provided declarations 


We only require from the user to provide a set of surjective functions between 
related data-types, along with a proof of surjectivity, and transfer lemmas. That 
is, we can relate two data-types A and A' by producing a function f : A ^ A' 
and a proof that / is surjective. To ease our task, we will require that the proof 
that / is surjective be given by producing a right-invers^l g and a proof that 

Vx' G A',f{g{x')) = x' . 

If the user wishes to transfer a relation R G AxAx...xA to a relation 
R' G A' X A' X ... X A' , she must provide a transfer lemma of the form 

Vxi . . . Xn G A^ Ri^Xi^ ... j Xri) R (/*(xi),...,/* (Xyj)) 

where / is called the transfer function between R and R'. 

The declared surjections and transfer lemmas will be stored in tables (maps). 
A given surjection can be retrieved by looking for a pair of data-types while a 
given transfer lemma can be retrieved by looking for a pair of relations. There 
can be only one stored item for each key which prevents defining several distinct 
isomorphisms between two structures. 

Example [5] shows how this is enough for transferring interesting theorems 
from one data-type to another. 

Example 2. Suppose we are given two data-types to represent N, called nat and 
N together with two relations <nat and <n. 

We know nothing of their implementation but we are also given two functions 
N.tomat : N —^ nat and N.of_nat : nat ^ N and the four accompanying axioms: 

Axiom 2 (Surjectivity of N.to_nat). 

Vx G nat, N.to_nat(N.of_nat(a:)) = x . 

Axioms (Surjectivity of N.of_nat). 

t/x' G N, N.of_nat(N.to_nat(a:')) = x' . 

Axiom 4 (Transfer from <n to <nat by N.to_nat). 

'ix',y' G N,x' <N y' => N.to_nat(a:') <nat N.to_nat(?/') . 

Axiom 5 (Transfer from <nat to <n by N.of_nat). 

Vcc, y G nat, x <nat y ^ N.of_nat(a:) <n N.of_nat(y) . 

Finally, we are given the following result to transfer: 

In other words, using terminology of category theory, we ask that g be a section of 
/ and / be a retraction of g. 



Axiom 6 (Transitivity of <nat)- 

-iV ^ ^ nat, X ^nat y y ^nat ^ ^ ^nat ^ ■ 

All these results enable us indeed to transfer Axiom [5] into Theorem [51 
Theorem 6 (Transitivity of <n)- 

Vx', y', z' £ N, x' <N y' => y' <N z' ^ x' <N z' . 

Proof. Let x', y', z' G N and assume that the following two hypotheses hold: 

X <N y' , (1) 

y' <N z' . (2) 

From ([T]) (respectively ([2])) and Axiom |4l we draw 

N.to_nat(a:') <nat N.to_nat(y') , (3) 

N.to_nat(y') <nat N.to_nat(z') . (4) 

We can now apply Axiom [S] to N.to_nat(a:'), N.to_nat(y') and N.to_nat(z') and 
conclude 

N.to_nat(a:') <nat N.to_nat(z') . (5) 

We then apply Axiom [5] to get 

N.of_nat(N.to_nat(a:')) <n N.of_nat(N.to_nat(z')) . (6) 

That is (rewriting with Axiom [3]): 

x' <N z' . (7) 

□ 

You will have noticed that Axiom [2] has not been useful here. It would have 
been if there had been a quantification to transfer inside one of the hypotheses. 
This suggests a similar example where Axiom[2]would not hold, thus where there 
would be no isomorphism between the two related data-types. Such an example 
is provided in the repository containing the plugin: we transfer various theorems 
(such as transitivity of <) from Z to N. 

2.2 Preliminaries in type-theory-based logic 

Understanding the proposed algorithm will not require much knowledge about 
the internals of Coq: 

— Dependent products are the way in which the Calculus of Inductive Con¬ 
structions [3l Ch. 4], the logical base of COQ, models both universal quantifi¬ 
cation and implication. The implication is just the degenerate non-dependent 
case, i.e. A ^ B is just an abbreviation for ^x : A,B when x does not appear 
in B. 

— In the Calculus of Inductive Constructions as well as in any other type- 
theory-based logic, proofs can be viewed as programs, and in particular the 
proof pA^B of an implication A=^ B can be viewed as a function that takes 
a proof PA of A as argument and produces a proof pa^b{pa) of B. 


2.3 The algorithm 


Algorithm [T] takes as input two formulas (called theorem and goal) differing only 
in the data-types that are quantified over and in the relations they contain, as 
well as a proof of theorem. It outputs a proof of goal provided that the differences 
between the two formulas all correspond to previously declared surjections and 
transfer lemmas. 

The algorithm is recursive over the structure of the two formulas (which must 
be the same). There are two main cases: when the formulas are atoms (i.e. in 
our case, relations applied to arguments) or dependent products. 

You will have noticed, at line[25]of Algorithm[Tl the strange choice of substi¬ 
tuting x' with f{g{x')) only in covariant places. As x' = f{g{x')), we could have 
done the substitution wherever we liked. We do it only in covariant places so that 
the formulas in the recursive calls will have exactly the right form when reaching 
the atomic case (relations). One can convince oneself that substituting in covari¬ 
ant places is enough by observing what it gives on the last example (transitivity 
of <n) while remembering that the right-hand side of an implication is covariant 
while the left-hand side is contravariant. 

We could add support for logical connectives such as A and V or the exis¬ 
tential quantifier 3 but as they play no specific role in the Calculus of Inductive 
Constructions (unlike universal quantification and implication), we rather want 
a more general way of treating any such addition. As for the negation -lA, in 
COQ it is defined as A => _L so it is already supported provided we unfold its 
definition first. 

3 Generalizing 

Algorithm [T] has quite a lot of limitations at the moment which we plan to lift. 

Functions. So far we have considered only relations. Even though any function 
can be expressed as a relation, this path would require a lot of preliminary 
rewriting steps; thus it would be a lot more convenient to be able to transfer 
functions directly. Given that relations are represented as functions to the special 
sort Prop in COQ, what we need is a generalization where functions to any type, 
as well as internal operators, would be supported. 

New connectives. We want to be able to handle logical connectives such as A 
and V but also various other combinators and non-propositional functions. For 
instance, we should be able to transfer theorems involving equality. 

Other equivalence relations. Currently, Leibniz (structural) equality plays a spe¬ 
cial role as it has to appear in the surjection lemmas. Leibniz equality has the 
advantage of allowing rewriting in any subterm. But techniques have already 
been devised [8] to allow rewriting with other equivalence relations and we plan 
to inspire from them. 


Algorithm 1 Transfer a Theorem 

Precondition: In the environment F, F and F' are two well-defined formulas 
and pF is a proof of F. 

Postcondition: ExACTMODULO(r, P, P', pf) is a proof of F' in environment F or it 
is a failure. 

function ExactModulo(F, F, F', pp) 

if F = F' then 
return pp 

5: else if F = F(ti,..., tn) and F' = . .., then 

/ t— transfer function between R and R' 

> return failure if it does not exist 
Ptransfer <— proof of Compatibility of / with respect to R and R' 
for i t— 1 to n do 
10: if t'i yf f(ti) then 

return failure 

return Ptransfer(tl, ■ ■■,tn,pp) 

else if F — yx : A, B and F' = Va;' : A', B' then 
V ^V,x' : A' 

15: t <—ExACTMODULO(F,d',T, a:') 

if t yf failure then 

prec t- ExactModulo(F, B, S', pF(t)) 

> return failure if prec = failure 

return \x' : A.prec 
20: else 

/ ■<— surjection from A to A' > return failure if it does not exist 

g t— right-inverse of / 

psurjection <— proof that p is a right-inverse of / 

Bsubst <— B where x was replaced by g{x') 

25: ^subst R' where x' was replaced by f{g{x')) in covariant places 

Prec t EXACTM0DUL0(F, Bgubst; Bg^bst! ))) 

> return failure if prec = failure 

Now \x' : A! . prec is a proof of Va;' : A! , With the help of Psurjection 

we can transform it into ppi a proof of Va;' : A', B'. 
return ppi 

30: else 

return failure 




No right-inverse. For simplicity, we have asked so far for proofs of surjectivity 
which involved producing a right-inverse. This has a major drawback. Indeed, 
surjectivity is equivalent to having a right-inverse only if we admit the Axiom 
of Choice. We want our algorithm to be as general as possible, therefore we will 
work to remove that requirement. 

3.1 Generalizing Declarations 

Transfer lemmas. The COQ Morphisms librarj0 introduces a new notion of 
respectful morphisms for a binary homogeneous relation. We draw from [5] the 
idea of using the generalized heterogeneous version for our transfer declarations. 
Heterogeneous relations bring us the ability to relate objects from one data-type 
with objects from another data-type. 

We will note 

(R ##> R’ ) f g := V (x : X) (y : Y) , R x y —^ R' (f x) (g y) . 

This can also be seen as a (commutative) diagram. 

a: < ^ > Y 

f 9 

X' Y' 

It is easy to show that this corresponds precisely to a very general notion of 
homomorphism that can be found in mathematics textbooks such as [71 Ch. 5.7]. 
The pair of mappings (/, g) is a homomorphism between the two “structures” 
{X X y, R) and {X' x Y', R') if the following holds: 

RogCfoR' 

where o is the relational composition, i.e. 

Vx €X,y' € Y', [{R o g){x, y') e F, i?(x, y) A g{y) = y'] , 

Vx G X,y' G Y', [(/ o i?')(x, y') 3x' € F, /(x) = x' A i?'(x', y')] . 

It will be possible to declare all sorts of transfer lemmas thanks to the re¬ 
spectful arrow as can be seen in the following example. 

Example 3. Let us consider a heterogeneous binary relation natN relating ele¬ 
ments of nat with elements of N. One possible definition would be: 

Definition natN x x’ := N.of_nat x = x’. 

Then, we can declare how to transfer various functions and relations: 

® The COQ Morphisms library is part of the work of Matthieu Sozeau [S] to generalize 
rewriting for equivalence relations that are not Leibniz equality. Its documentation is 
available online at https : //coq. inria.fr/library/Coq. Classes .Morphisms . html 







Theorem le_transfer : (natN ##> natN ##> impl) le N.le. 

where le represents <nat) N.le represents <n and impl is a relation corre¬ 
sponding to the implication (also, note that ##> is right-associative). That is, 
after unfolding the definitions of natN, ##> and impl: 

Theorem le_transfer : 

V (x : nat) (x’ : N) , N.of_nat x = x’ —>■ 

V (y : nat) (y’ : N), N.of_nat y = y’ —^-lexy—>-N.lex’ y’. 

Considering two new Boolean functions iszero_nat and iszero_N, we can 
make explicit how they relate in the following way: 

Theorem iszero_transfer : (natN ##> @eq bool) iszero_nat iszero_N. 

where Oeq bool is the Boolean equality. 

Finally, considering two operations Nat. add and N. add: 

Theorem plus_transf : (natN ##> natN ##> natN) Nat.add N.add. 

Surjection lemmas. That very same idea of respectful morphisms can be used 
to replace the surjection declarations we used so far. Just as we had replaced 
the implication —> by a new relation impl, we will use a new relation Sail to 
represent V : 

(Sail A (A X : A, B) := V x : A, B . 

Any surjection declaration in the style of Sec. [2) 

Declare Surjection f by (g, proof) . 

can be equivalently replaced by the following three declarations: 

Theorem R_surj : ((R ##> impl) ##> impl) (Sail A) (Sail A’). 
Theorem R_tot : ((R~^ ##> impl) ##> impl) (Sail A’) (Sail A). 
Theorem R_func : (R ##> R ##> impl) (@eq A) (Oeq A’). 

where Rxx’ :=fx=x’ and R^^ x’ x :=Rxx’ . 

The first declaration corresponds to the surjectivity of relation R (also called 
right-totality). The second and third declaration express the fact that i? is a 
mapping. More precisely, the second declaration corresponds to the surjectivity 
of the inverse relation, that is the (left-)totahty of R. The third declaration 
expresses the knowledge that R is functional (also called univalent in [3 Ch. 5.1] 
or right-unique elsewhere). 

The three declarations provide interesting “point-free” formulations of a re¬ 
lation totality and unicity properties. Let us unfold two of them to give more 
intuition on what they mean: 



Theorem R_surj : 

V P P', (V (x : A) (x’ : A’), R x x’ —P x — P’ x’) — 

(Vx : A, Px) —5>Vx' : A’, P' x’. 

Theorem R_func : 

V (x : A) (x’ : A’), R x x' — 

V (y : A) (y’ : A’), Ryy’ —>-x = y— >-x’ = y’. 

We immediately see that R_func indeed expresses that R is functional (each 
input has at most one output). As for R_surj, while it is clearly a neces¬ 
sary condition for surjectivity, we will have to instantiate the theorem with 
P = A _ : A, True and P’ = Ax’ : A’, 3x : A, Rxx’to see that it is 
sufficient. 

We can already foresee two advantages of this new formulation of surjectivity 
lemmas. First, it is more general as it will allow considering data-types which 
are related by a non-functional or non-total relation. Second, we can already 
imagine replacing Oeq by any equivalence relation and Sail by any bounded 
quantification, thus allowing to relate two partial quotients and not only classic 
data-types. 


3.2 Transfer to the context 

In [S] , Matthieu Sozeau gives a set of inference rules to find where a rewrite can 
occur and the proof that the rewrite is correct. Building the proof will sometimes 
require prior declarations that some functions are respectful morphisms for some 
homogeneous relations. For our purpose, we need to generalize these rules to 
heterogeneous relations. 

As before, we take a theorem and a goal as arguments and we must produce 
a proof of thm —>■ goal, that is impl thm goal. We borrow the notation 

F h r r' 

which means that given an environment F in which r and t' are well-defined, p 
is a proof of R{t, t'). 

Initially, given a theorem F h r and a goal F h r', we want to derive a 
judgment of the form: 

F h r t' 

Rules. We give in Fig. [T]the rules to get to that judgment, adapted from [5]. 
We have dropped the Unify rule as it was used for rewriting but does not apply 
in our case. To avoid unnecessary complexity, we have also chosen to drop the 
Sub rule in a first version. 

From these rules, we plan to derive a deterministic algorithm, which we will 
implement and test. 

We will now illustrate each of these rules by a few examples, taken from the 
transfer of Axiom [5] (transitivity of <nat) to Theorem [5] (transitivity of <n)- 


p : R{t, r') G r p : R{t, t') G Tables 

' Env -—^- Table 


r I- r t' 


r I- r t' 


V,X ■. Tl,x' ■. t[,H ■. R{x, x') h T2 T2 
r h Aa; : t\.T2 ® ^ 3 ;' ; rTr, 

Aa::Ti ,2: ,ii } .p ^ 


Lambda 


r b / ® /' r h e e' 


r ^ /(e) /'(e') 


App 


r h @all ri (A® : ri.r2) @all t[ (\x' : t[.T2) 

- Forall 


r h V® : Ti, r2 yx' '■ r[,T2 

r h impl ri T2 impl t[ T2 


T 2 t[ 


Arrow 


r h n 

Fig. 1. exact modulo inference rules. 


Example 4 - Initially, we want to find a judgment of the form 

b ^^5 y? t G nat, X ^nat y y ^nat ^ X ^nat ^ 

\fx',y', z'G N, x' <N 2/^ =b y' <N z' =b x'<j<! z' . 

By rule Forall, this reduces to 

b @all nat (Ax : nat, Vy, t G nat, x <nat 2/^2/ <nat z ^ x <nat z) 

@all N (Ax' : N, ^y', z' G N, x' <n y' ^ y' <n z' x' <n z') . 

By rule App, this reduces to 

b Ax : nat, V2/, t G nat, x <nat 2 /^ 2 / <nat z ^ x <nat 2 

Ax' : N, V2/', z' G N, x' <n 2 /^ =b y' <n z' ^ x' <n z' , (8) 

b @all nat **> @all N . ( 9 ) 

Then Q is solved by applying rule Table. We get R = natN ##> impl . Finally, 
we can report the value of i? in ([ 5 ]) and apply rule Lambda and thus our initial 
problem reduces to 

X : nat, x' : N, iL : natN x x' b V2/, z G nat, x <nat 2 / =b 2 / ^nat z =^> x <nat -z 

--^“P^V2/', z' G N, x' <N y' =b 2/^ t' ^ x' <N z' . 

From now on, 

r = X : nat, x' : N, H : natN x x', 

y : nat, y' : N, iJi : natN y y', 

z : nat, z' : N, H2 '■ natN z z' . 








We now consider the problem of finding a judgment of the form 


r b X ^nat y y ^nat ^ X ^nat ^ 
^Impl 2 ;' <j^ y' ^ y' z' ^ x' <N ■ 

By rule Impl, this reduces to 

r h impl (a: <nat y) (y <nat Z ^ X ^nat 2^) 
impl (a:' <N y') (y' <N z' ^ x' <N z') . 

By rule App, this reduces to 


r b y ^nat Z X ^nat Z ^ y Z X Z , (H^) 

r b impl (a; <nat y) impl (x' <n y') ■ (11) 

By rule App, m reduces again to 

r b a; <nat y x' <N y' , (12) 

r b impl -w S##>H##>impl .^p]_ _ (-^3) 

We will make sure that the tables are pre-filled so that judgments such as m 
can be solved with rule Table. In that case, we will get S = impl ^ and R = 
impl . Now by rule App, m reduces to 

r b y y' , ( 14 ) 

r b le X ^T’##>impi-' 2:' . ( 15 ) 

Rule Env allows us to derive (fl^ with T = natN . 


As for m, it can be solved after a few more steps by using the knowledge 
that (natN ##> natN ##> impl“P) le N.le, which is equivalent to (natN“P 
##> natN“P ##> impl) N. le le, which will be one of the user-provided transfer 
lemmas (it corresponds to Axiom U]). Therefore, there only remains to solve (1101) 
in ways similar to this example. 

4 Related work 

4.1 Proof reuse 

More than ten years ago, Nicolas Magaud [6] proposed an extension of COQ that 
seemed to share our objectives. Notably, he was able to transfer all the theorems 
that were, at the time, in the standard Arith library, from nat to N. 

The approach was quite intricate because it was able to transfer proofs, and 
not just theorems. Given two isomorphic data-types, one will be considered as 
the origin type and the other one as the target type. The first step is to define 
functions to model the origin constructors within the target type. Moreover, new 


recursion operators behaving like the ones of the origin type are added to the 
target type. 

With such a projection of the origin type into the target type, it is easy to 
project operators and relations. Proofs are transferred in the same way. The last 
step is to establish extensional equality between projected operators and the 
corresponding native operators of the target type. 

While interesting, we do not need to take such a complicated path for our 
objective which is only theorem reuse. Using Magaud’s approach requires much 
more work in establishing the relations between the two data-types. Moreover, 
our approach is more powerful in a sense: we can transfer properties between 
two data-types even if we know nothing of their content and the transfer lemmas 
where provided as axioms. 

4.2 Algorithm reuse 

A much more recent work by Cohen et al. [5] has been of much inspiration to 
us. However, the focus is not the same. In the context of program verification, 
the authors propose a general method for algorithm reuse through parametric- 
ity when refining proof-oriented data-types into efficient computation-oriented 
data-types. Parametricity then enables the automatic transfer of algorithm cor¬ 
rectness proofs. Although they give this general method, they explain why they 
do not provide a plugin. Our focus being on transparency and usability by math¬ 
ematicians, we decided to create such a plugin. 

An other inspiring characteristic of their work lies in that they typically al¬ 
low refined types to contain more objects, including objects which would have 
no meaning (no specification). Although we currently require precisely the op¬ 
posite so as to be able to translate theorems stating properties for all elements, 
including unicity properties, we could quite easily add support for bounded quan¬ 
tification. Bounded quantification would be useful for transferring theorems from 
a subset type to the corresponding elements of a larger type (for instance from 
N to non-negative elements of Z). Similarly, the new way to declare links be¬ 
tween two data-types presented in Sec. 13.II makes it easy to use other equivalence 
relations than just Leibniz equality. 

4.3 Other works proposing a heterogeneous respectful arrow 

While Cohen et al. [5] inspired us to use a generalized heterogeneous respectful 
arrow to allow for more precise transfer declarations and remove the limitations 
of Algorithm [U there are many other (and sometimes older) works proposing 
the same definition. One example of such a work is [4] Def. 13]. But this is not 
surprising as we have remarked in Sec. 13.11 that this arrow just encodes for an 
already existing mathematical notion of homomorphism. 

Huffman and Kuncar go further as they also show how the relational 
unicity and totality properties can be expressed in terms of the respectful arrow. 
They produced a Transfer package for Isabelle/HOL with comparable objec¬ 
tives to ours, and their transfer tactic is based on a two-step algorithm sharing 


many ideas with Matthieu Sozeau’s [5]. Nothing going as far as their Transfer 
package has yet been created for COQ. 

5 Conclusion 

In this paper, we have shown how a simple algorithm can make use of a few 
initial declarations to ease the reuse of results from one data-type to another. 

As we improve our algorithm and become able to transfer more theorems, 
we will still have a lot to do in order to make our plugin as simple-to-use as 
possible. A first easy step will be to transform our exact modulo tactic into an 
apply modulo tactic. Then, we will need to allow for compositionality in ways 
similar to [2] and [5]. First, by allowing and handling transfer declarations for 
parametrized types. Then, by finding paths from one type to another, even when 
the relation between the two was not declared, but can be established by going 
through a sequence of transfers. 

We view this work as a little but quite interesting step in the enormous task 
of making the use of a formal proof system as easy as a pen-and-paper proof. 
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